14 DAY TRIAL // Microsoft was one of the main critics of the WabiSabiLabi project, an initiative designed as a veritable vulnerabilities bazaar. Essentially, WabiSabiLabi acts as a marketplace for software security holes, enabling security developers to profit from the vulnerabilities they discover. Microsoft, as well as the majority of the software vendors, supports a policy where the security researcher merely reports the vulnerability and gets credited for it without any type of financial transaction being involved. WabiSabiLabi aims to reduce the volume of zero-day security flaws sold on the underground market to attackers, by providing a transparent online auction site for buyers and sellers of vulnerabilities.
Microsoft's position is understandable, as the vast majority of the vulnerabilities traded or awaiting bidding on WabiSabiLabi are in some way connected to its Windows platform. However, this does not mean that the Redmond company is ignoring WabiSabiLabi. Just the opposite in fact. Roberto Preatoni, strategic director and Giacomo Paoni, CTO of WabiSabiLabi participated in the recent "BlueHat v6: The Vuln Behind The Curtain" closed-door security conference in Redmond.
"We understood this was probably the right occasion to discuss our initiative directly with the people from which we could expect the most solid critics or maybe, the most solid handshakes. It was a challenge we had to take. Guess what? We indeed received both solid critics and solid handshakes. Once at the conference, we have been requested to hold three different speech sessions. Two for the executives and one for the Microsoft employees, developers, long-time friends", revealed a representative of WabiSabiLabi.
Microsoft continues to support what it calls the responsible disclosure of vulnerabilities, and revealed in that past that it has not paid, and that it will not get involved in the commerce with software vulnerabilities, even if its own products are affected. The Redmond company has been criticized for this position, as it is interpreted as a disregard for user security.
"We had the occasion to explain in detail our initiative, and to answer to challenging questions, especially those questions coming from some of the Microsoft executives. One of them suggested us to be more transparent by publishing our own vulnerability acceptance policy. Suggestion taken. The conference was very useful for us also because it gave us the possibility to exchange views and contacts with the speakers, a bunch of young, brilliant minds from which we got good advices," the WabiSabiLabi representative added.